In my application I have implemented spring-security-oauth2. And evrything is working fine except in one case.
The scenarion is, I login to system ,I get oauth2 access_token. I request my protected resource by providing that token ,I get the results. Again I do the same request without any header(without access_token) and this time also I get the protected resource.
My protected resource related Code:
<http pattern="/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="true" />
<intercept-url pattern="/users" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="customFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
Also I have used custm filter. And I print client_id in my filter using authentication object like this-
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
System.out.println("----------->>>" + ((OAuth2Authentication) authentication).getAuthorizationRequest().getClientId());
With access_token i get the client_id-"test1" and After first request if I do the same request without access_token I again get the same client_id="test1"
And resource is also accessed.
I tried hard but didn't got any loop hole in the code. Any help will be appreciated.
This worked for me:
Change
create-session = "never"tocreate-session = "stateless"Hope this helps.